Cyber Intel Brief: June 01 – 07, 2023

In today’s rapidly evolving digital landscape, organizations face an ever-growing threat from cybercriminals and malicious actors. We cannot overstate the importance of robust network monitoring and cybersecurity measures, especially when it comes to safeguarding sensitive data, maintaining operational continuity, and protecting your organization’s reputation.

As a trusted Managed Detection and Response (MDR) provider, we understand the critical importance of staying ahead of emerging threats. In this blog post, we delve into exclusive insights from an early warning cyber threat intelligence report sourced from publicly available intelligence exclusive to our valued customers. By sharing this invaluable information with you, we aim to empower your organization to proactively mitigate risks, enhance your security posture, and protect your bottom line.

In this week’s Cyber Intel Brief, we explore several cyber threats, like TrueBot, Qakbot, the APT group Dark Pink, Kimsuky, and the latest additions to dark web data leak sites and CISA’s Know Exploited Vulnerabilities Catalog. By understanding the nature of these threats and the recommended mitigative actions, you will be equipped with the knowledge to take proactive steps in securing your organization.

We invite you to read on and discover how you can strengthen your defenses against these evolving threats. By implementing the strategies and recommendations outlined here, you can safeguard your organization’s critical assets and gain peace of mind in an increasingly volatile digital landscape.

Remember, effective cybersecurity is not just about reacting to attacks but also anticipating and preventing them. Let’s delve into the world of TrueBot and Qakbot, gain valuable insights, and ensure your organization remains secure and resilient against these emerging cyber threats.

This Week’s Source Material

Staying Ahead of TrueBot and Qakbot Malware Threats

Targeted Industries: Finance and Insurance, Education, Information, Professional Services, Healthcare and Social Assistance, and Manufacturing

In today’s digital landscape, cyber threats continue to evolve, posing significant risks to organizations across various industries. In this blog post, we delve into two emerging cyber threats: TrueBot and Qakbot. These malware variants have specifically targeted the financial and educational sectors, making it crucial for institutions in these industries to take proactive measures to safeguard their systems, data, and reputation. Read on to understand the nature of these threats, their potential impacts, and the recommended actions to mitigate the risks.

TrueBot: A Continuing Threat to the Financial Sector and Now the Educational Sector

A persistent threat to the Financial and Educational Sectors TrueBot, attributed to the Silence Group, is a downloader trojan botnet that poses a high risk to financial and educational institutions. Known for their advanced capabilities, the Silence Group leverages TrueBot to compromise systems through malicious emails and exploiting Netwrix vulnerabilities. Once infiltrated, these compromised systems become launching points for future attacks.

The potential consequences of a successful intrusion are severe, ranging from unauthorized access to sensitive data and disruption of services to financial loss and reputational damage. To protect your organization, it is crucial to act swiftly. We recommend taking mitigative action within the next few weeks, including patching vulnerabilities and conducting end-user awareness training.

Qakbot Unveiled: Evolving Threats and Persistent Risks

An evolving threat with persistent risks, Qakbot, also known as Pinkslipbot or Qbot, has been an active cyber threat since 2007, primarily driven by financial gain through banking fraud, ransomware distribution, and the sale of infected hosts. This threat exhibits adaptability and resilience by frequently changing its initial access methods and utilizing various file types in socially engineered, email-hijacking campaigns.

Qakbot employs a range of tactics, techniques, and procedures throughout its intrusion kill chain, including email hijacking, social engineering, macro-based exploitation, and concealing its command and control infrastructure within compromised web servers and residential IP space. Organizations across sectors such as finance, insurance, information, professional services, healthcare, and manufacturing are at high risk.

The impact of a Qakbot attack can be severe, leading to financial losses, operational disruptions, reputational damage, and regulatory consequences. To safeguard your organization, implementing preventive measures is vital, including Group Policy settings to prevent script execution, disabling Microsoft Office macros by default, and enforcing policies that restrict the opening of certain file types.


As cyber threats become increasingly sophisticated, financial and educational institutions must remain vigilant and proactive in protecting their systems and sensitive data. The TrueBot and Qakbot malware variants represent significant risks with potential consequences that can have far-reaching implications. Remember, proactive measures such as patching vulnerabilities, conducting end-user training, and implementing preventive policies are crucial to safeguarding your institution’s data and reputation. Don’t wait until it’s too late. Take action now to protect your financial and educational institutions from TrueBot and Qakbot.

Safeguard Your Organization from Vendor and Contractor Account Abuse

Targeted Industries: All, particularly those heavily reliant on third-party vendors and contractors

In today’s interconnected world, businesses rely heavily on third-party vendors and contractors to streamline operations and enhance productivity. However, this increasing dependence also opens new avenues for cyber adversaries to exploit. In this exclusive Cyber Intel Brief, we delve into a growing menace that threatens organizations across all industries – the misuse of vendor and contractor accounts (VCAs). Read on to understand the gravity of this threat and discover immediate measures to protect your business from potential financial losses, operational disruptions, reputational damage, and regulatory penalties.

Rising Threat: Vendor and Contractor Accounts – The New Frontier for Cyber Adversaries

Adversaries, including Advanced Persistent Threat (APT) groups, cybercriminal organizations, and individual actors, are skillfully leveraging the trust placed in third-party vendors and contractors to breach network security. By exploiting VCAs, these malicious actors bypass traditional security measures and gain unauthorized access to critical systems, with motivations ranging from data theft and espionage to disruption.

No Industry is Immune: Whether you operate in finance, healthcare, technology, or any other sector, the misuse of VCAs poses a significant risk to your organization. Adversaries target industries heavily reliant on third-party vendors and contractors, making it crucial for all businesses to fortify their defenses against this emerging threat. To counter this rising threat, strengthen your VCA security by enforcing MFA for all vendor and contractor accounts. Disable unused VCAs: Regularly review and disable VCAs that are no longer required, reducing the potential attack surface and minimizing the risk of adversaries exploiting dormant accounts. Apply strict controls on remote access for VCAs. Limiting access to essential systems and implementing secure remote access protocols mitigate the chances of unauthorized entry by adversaries. Utilizing dedicated jump boxes or vendor access applications to facilitate secure access for third-party vendors and contractors. These solutions provide a controlled environment, reducing the chances of unauthorized access and limiting the potential impact of a breach.


The threat landscape continues to evolve, and adversaries are increasingly focusing on exploiting vendor and contractor accounts. Organizations cannot afford to overlook this growing menace, as the consequences can be severe and far-reaching. Businesses can safeguard their operations, reputation, and financial well-being by implementing the recommended mitigative measures, including MFA, disabling unused VCAs, restricting remote access, and employing dedicated access applications.

Don’t wait until it’s too late. Take action now to protect your business from the rising threat of vendor and contractor accounts. Stay one step ahead of cyber adversaries and fortify your defenses against this new frontier of cyberattacks. Together, we can secure a resilient future for your organization.

Protect Your Organization from State-Sponsored Cyber Espionage

Targeted Industries: Government, Military, Non-Profit Organizations, Education, Information

In today’s interconnected world, organizations of all sizes and industries face an ever-increasing risk of cyber threats. The evolving landscape of cybercrime demands proactive measures to protect sensitive data, maintain operational continuity, and safeguard reputations. Below we shed light on two emerging Advanced Persistent Threat (APT) groups: Dark Pink and a North Korean state-sponsored cyber espionage group. Understanding their tactics and motivations will empower organizations to enhance their cybersecurity defenses and counter the evolving threat landscape.

Dark Pink APT: An Evolving Threat with Expanding Targets

The Dark Pink APT group has gained notoriety for its persistent and adaptable tactics. Initially active in the Asia-Pacific region, Dark Pink has recently expanded its operations to Belgium, Brunei, and Thailand, targeting 13 organizations across government, military, non-profit, and education sectors. Spear-phishing emails serve as their primary mode of initial access, followed by the deployment of custom tools to maintain persistence and control. Dark Pink’s utilization of various data exfiltration methods, including email, DropBox, and Webhook highlights the sophistication of their operations.

What makes Dark Pink particularly dangerous is their continuous tool updates designed to evade detection. The group poses a high risk to targeted industries, with potential consequences ranging from data breaches and operational disruptions to financial losses and regulatory implications. It is crucial for organizations, especially those handling sensitive data, to adopt modern email protection measures, foster a robust cybersecurity culture, and proactively hunt for threats.

Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

The North Korean APT group Kimsuky has recently conducted a targeted campaign to steal credentials and gather strategic intelligence. The group employed sophisticated social engineering techniques to deceive their targets. Their preferred method includes extensive email correspondence, spoofed URLs, websites designed to mimic legitimate platforms, and weaponized Office documents containing the ReconShark malware. By exploiting these tactics, the APT group aims to gain unauthorized access to sensitive information and strategic intelligence.

Organizations and individuals involved in North Korean affairs face an exceptionally high risk from Kimsuky’s activities. The potential impacts of a successful attack by this APT group are severe, ranging from unauthorized access to sensitive data to the compromise of strategic intelligence. To protect your organization from Kimsuky’s cyber threats, we strongly recommended enabling multi-factor authentication (MFA) for all user accounts, particularly for critical systems like email.

Staying Ahead of Emerging Cyber Threats

As these APT groups continue to evolve and expand their operations, it is crucial for organizations across all sectors to remain vigilant and maintain proactive cybersecurity practices. Regardless of industry, all organizations should implement robust email protection measures, establish strong passwords, enable multi-factor authentication, and install reliable antivirus tools. Continuous monitoring, threat hunting, and employee cybersecurity training are vital to identify and mitigate potential intrusions.


The Dark Pink APT group and the North Korean state-sponsored cyber espionage group exemplify the evolving nature of cyber threats. Organizations must prioritize cybersecurity and take proactive measures to protect sensitive data, maintain operational continuity, and safeguard their reputation. By adopting modern email protection measures, fostering a cybersecurity culture, and implementing proactive defense strategies, organizations can stay one step ahead of emerging cyber threats and mitigate potential risks. Stay vigilant, stay secure.

Staying One Step Ahead With Our Data Leak Site Analysis

Targeted Industries: Professional, Scientific, and Technical Services, Manufacturing, Information, Education, and Wholesale Trade

In today’s digital landscape, the threat of ransomware is constantly evolving, putting businesses of all sizes and industries at risk. A recent analysis of dark web data extortion and leak sites has revealed alarming statistics, indicating the growing impact of ransomware attacks. In the past week alone, monitored ransomware threat groups have added 54 new victims to their leak sites, with 26 based in the US. As a trusted cybersecurity-managed detection and response company, we understand the urgency of protecting your organization from such threats. In the following, we delve into the industries most affected by these attacks in the last week and explain how our advanced Managed Detection and Response solutions can help safeguard your business.

Professional, Scientific, and Technical Services: A Prime Target

The Professional, Scientific, and Technical Services industry has emerged as the most targeted sector in the last week, with 16 victims identified. This industry includes various businesses, such as legal services, consulting firms, and engineering companies. The valuable intellectual property and sensitive client data these organizations possess make them attractive targets for cybercriminals. By partnering with us and implementing our robust Managed Detection and Response solutions, you can fortify your defenses and minimize the risk of falling victim to ransomware attacks.

Manufacturing: Protecting Critical Operations

Manufacturing, a vital sector of the global economy, is also under significant threat, with 15 victims identified in the analysis. From large-scale production facilities to smaller manufacturers, organizations in this industry are susceptible to disruptive attacks that can halt operations, lead to financial losses, and compromise customer trust. Our comprehensive Managed Detection and Response solutions protect your digital assets and enhance your brand reputation.

Information and Education: Safeguarding Data Integrity

The Information and Education sectors have experienced a notable number of victims, with five and three identified, respectively. These industries handle vast amounts of sensitive data, including personal information, research findings, and educational resources. Protecting data integrity and ensuring compliance with privacy regulations is paramount. Our cutting-edge solutions employ advanced encryption, multi-factor authentication, and continuous monitoring to safeguard your data and maintain customer trust by demonstrating your commitment to cybersecurity.

Wholesale Trade: Mitigating Financial Risks

Even the Wholesale Trade industry has not escaped the attention of cybercriminals, with two victims identified in the analysis. A breach in this sector can have severe financial repercussions, including stolen customer payment information and disrupted supply chains. Our Managed Detection and Response solutions provide the following: proactive threat detection, real-time incident response, and comprehensive risk assessments to mitigate financial risks and enable your organization to thrive in a secure environment.


As the threat landscape continues to evolve, businesses across various industries must prioritize cybersecurity and protect themselves from ransomware attacks. With 54 victims added to leak sites in the past week alone, the statistics highlight the urgency for proactive measures. Our cybersecurity-managed detection and response company offers advanced Managed Detection and Response solutions to safeguard your business and maintain data integrity. Don’t wait until it’s too late—partner with us today to stay one step ahead of cyber threats and ensure the longevity and success of your organization. Contact us now to learn more about our comprehensive cybersecurity services and take control of your business’s digital security.

Protect Your Organization from The Latest Known Exploited Vulnerabilities

Targeted Industries: All

Attention, technology users and businesses! Are you aware of the latest vulnerabilities known to have been exploited by threat actors? Recently the Cybersecurity and Infrastructure Security Agency (CISA) added 3 new CVEs to its Known Exploited Vulnerabilities Catalog. This news should be of utmost importance to anyone using products from Zyxel and Progress. Don’t wait until it’s too late—stay informed and proactive to protect your technology assets.

CISA Adds 3 CVEs to its Known Exploited Vulnerabilities Catalog

In the past week, CISA added 3 CVEs to its Known Exploited Vulnerabilities Catalog. These vulnerabilities affect products from Zyxel and Progress. The first two vulnerabilities, CVE-2023-33009 and CVE-2023-33010, impact Zyxel’s ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls. They are both buffer overflow vulnerabilities that unauthenticated attackers could exploit to cause denial-of-service (DoS) conditions and remote code execution on the affected devices. The vulnerabilities exist in the notification function and ID processing function, respectively. The recommended action to mitigate these vulnerabilities is to apply updates according to the vendor’s instructions. The due date set by CISA for addressing these vulnerabilities is June 26, 2023.

The third vulnerability, CVE-2023-34362, affects Progress MOVEit Transfer. It is a SQL injection vulnerability that unauthenticated attackers could exploit to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used, the attacker may be able to gather information about the database structure and contents, as well as execute SQL statements to modify or delete database elements. Read more about active exploitation of this vulnerability.


The recent addition of 3 CVEs to CISA’s Known Exploited Vulnerabilities Catalog serves as a wake-up call for organizations relying on products from Zyxel and Progress. The potential consequences can be severe if left unaddressed. Organizations must take action by applying updates or following vendor instructions to prevent unauthorized access and potential breaches. CISA has set a due date of June 26, 2023 for mitigation, emphasizing the urgency of this matter. By prioritizing security and adhering to the recommended mitigation measures, you can fortify your systems against known exploits and demonstrate your commitment to safeguarding sensitive data. Stay vigilant, stay protected, and stay ahead of the threats lurking in the digital landscape.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog